On Mon, Dec 17, 2001 at 08:34:55AM -0800, Liger-dc wrote:
> Flow-tools has the foolowing command to get the following data...
>
> flow-stat -w -P -S3 -f10 -T ATLA for 2001/12/16 from flow-filter -f filters -Dmulticast
What version of flow-tools has a flow-stat that supports all those options?
They certainly aren't working for me with flow-tools-0.55.
> #
> #
> # src IPaddr dst IPaddr flows octets packets duration
> #
> 128.42.33.20 224.2.182.211 1.026 44.863 18.181 2.400
> 136.145.54.124 224.4.4.4 0.493 9.408 4.836 1.165
> 131.193.77.102 224.2.177.155 2.121 7.143 4.692 4.300
> 204.121.50.17 224.2.177.155 2.088 6.003 4.442 4.385
>
> This shows whose multicasting what...
> Is there a similar utility or command that I can run on
> cflowd that has does the same thing?
Can you not do this by installing flow-tools on the machine where your
cflow raw flow files are, then use flow-import and flow-stat, since
flow-import can now apparently read cflowd-format raw flow files?
In the yet-another category, I wrote a somewhat similar script called
"top_mcast" (attached) that you can run on a raw flow-file whether it
was produced by cflowd or flow-tools.
The output looks like this:
%bytes %pkts %flows host
------ ------ ------ ----
24.074 23.026 12.500 10.42.69.10 "host10.our.domain"
23.073 23.684 12.500 10.42.69.13 "host13.our.domain"
19.626 20.395 12.500 10.42.69.12 "host12.our.domain"
...
"top_mcast" requires the following to be installed:
Cflow perl module -
http://net.doit.wisc.edu/~plonka/Cflow/
Net::Patricia perl module - CPAN or
http://net.doit.wisc.edu/~plonka/Net-Patricia/
ip2hostname script - (supplied with FlowScan-1.006)
http://net.doit.wisc.edu/~plonka/FlowScan/
The attached version of "top_mcast" doesn't show the MCAST destination
address though, since I don't usually care about the ephemeral group
addresses - I just want to know who sourced all the traffic.
If you wanted to see the MCAST addresses, something like this may be
more appropriate:
$ flowdumper \
-I 'use Socket;
use Net::Patricia;
$pt = Net::Patricia->new;
map { $pt->add_string($_, 1) } qw( 224.0.0.0/4 )' \
-n \
-e '$pt->match_integer($dstaddr) &&
(($total{$dstaddr}{$srcaddr}{flows}++),
($total{$dstaddr}{$srcaddr}{bytes} += $bytes),
($total{$dstaddr}{$srcaddr}{pkts} += $pkts),
($Flows++, $Bytes += $bytes, $Pkts += $pkts),
1)' \
-E 'while (($DST, $hv) = each(%total)) {
while (($SRC, $ref) = each(%$hv)) {
printf("%-15.15s %-15.15s %-6.3f %-6.3f %-6.3f\n",
inet_ntoa(pack("N", $SRC)),
inet_ntoa(pack("N", $DST)),
100*($ref->{flows}/$Flows),
100*($ref->{bytes}/$Bytes),
100*($ref->{pkts}/$Pkts));
}
}'
and you could sort the output with "sort -k3rn".
Dave
P.S. With regard to performance, my perl script probably can't compete
with flow-stat. It's just another way to do it, and may be more easily
customizable. For instance, if I want to restrict "top_mcast" to just
consider MCAST flows which don't have an ingress ifIndex of 35, I can
customize the flow selection expression thusly:
$ diff top_mcast /tmp/top_mcast
12c12,13
< -e '$pt->match_integer($dstaddr) &&
---
> -e '35 != $input_if &&
> $pt->match_integer($dstaddr) &&
-- plonka@doit.wisc.edu http://net.doit.wisc.edu/~plonka ARS:N9HZF Madison, WI
-- cflowd mailing list cflowd@caida.org
This archive was generated by hypermail 2b29 : Wed Dec 19 2001 - 09:35:51 PST